Find a file

Patrick Großmann 50398de75e chore: flake update fix: new smb naming		2024-01-19 20:48:01 +01:00
hosts	fix: extra-modules update	2024-01-18 20:10:54 +01:00
img	feat: more streamdeck config	2023-09-28 19:52:12 +02:00
keys	Patrick strinkt	2023-12-28 20:49:53 +01:00
lib	feat: gitea config	2024-01-12 15:47:43 +01:00
modules	chore: flake update	2024-01-19 20:48:01 +01:00
nix	feat: adguard home	2024-01-11 22:42:03 +01:00
pkgs	feat: setup elisabeth	2024-01-13 16:07:55 +01:00
secrets	feat: paperless	2024-01-18 00:39:25 +01:00
users	chore: flake update	2024-01-19 20:48:01 +01:00
.envrc	chore: update	2023-12-17 01:27:40 +01:00
.gitignore	feat: continue nixvim implementation	2023-11-07 21:16:39 +01:00
flake.lock	chore: flake update	2024-01-19 20:48:01 +01:00
flake.nix	fix: update fucked shit	2024-01-15 20:46:53 +01:00
hosts.toml	feat: adguard home	2024-01-11 22:42:03 +01:00
README.md	feat: continue nixvim implementation	2023-11-07 21:16:39 +01:00
statix.toml	feat: systemd upgrade	2023-09-18 17:27:54 +02:00

README.md

Meine wundervolle nix config

Structure

hosts/ contain nixos configuration for hosts
- <hostname>/ configuration for hosts
  - default.nix Toplevel system definition
  - fs.nix file system definiton
  - net.nix network setup
  - secrets/ secrets local to this hosts
    - secrets.nix.age local secrets usable on deploy
    - host.pub host public key, needed for rekeying agenix secrets
modules/ extra nixos modules and shared configurations
- secrets.nix module to enable deploy-time secrets
- config/ base configuration used on all machines
- dev/ configuration options enabling developer environment
- graphical/ configuration for graphical environments
- hardware/ configuration for hardware components
- impermanence/ impermanence modules for hosts
nix/ additional nix functions
- devshell.nix Development shell
- extra-builtins.nix Extra builtin plugin file to enable repository secrets
- TODO
- lib.nix additional library functions
secrets/ global secrets
- <name>.key.pub public key handles to decrypt secrets using yubikey
- recipients.txt rage recipient file for encrypting secrets
  - currently containing both yubikeys and a rage backup key
- secrets.nix.age global secrets available at deploy
users/ home manager user configuration
- common/ shared home-manager modules
  - graphical/ configuration for graphical programs
  - programs/ configuration for miscellaneous programs
  - shells/ configuration for shells
  - default.nix minimal setup for all users
  - interactive.nix minimal setup for interactive users on a command line
  - graphical.nix configuration for users utilizing a graphical interface
- <username>/ configuration for users
  - impermanence.nix users persistence configuration
keys collection of yubikeys public key parts for decryption
img images, encrypted to not break any copyright by redistribution

Hosts

patricknix Patricks main laptop
desktopnix Patricks main desktop
testienix old laptop for testing
gojo Simons Laptop

Users

patrick my normal everyday unprivileged user
root root user imported by every host

Flake output structure

checks linting and other checks for this repository
- pre-commit-check automatic checks executed as pre-commit hooks
nixosHosts top level configs for hosts
nodes alias to nixosNodes
devshell development shell using devshell
formatter nix code formatter
hosts host meta declaration
pkgs nixpkgs
packages additional packages
secretsConfig meta configuration for secrets
stateVersion global stateversion used by nixos and home-manager to determine default config

How-To

Add additional hosts

Add host definition to hosts.toml
Create host configuration in hosts/<name>
1. Create and fill default.nix
2. Fill net.nix
3. Fill fs.nix
4. Don't forget to add necesarry config for filesystems, etc.
Generate ISO image with nix build --print-out-paths --no-link .#images.<target-system>.live-iso
- This might take multiple minutes(~10)
- Alternatively boot an official nixos image connect with password
Copy ISO to usb using dd
After booting copy the installer to the live system using nix copy --to <target> .#packages.<target-system>.installer-package.<target>
Run the installer script from the nix store of the live system
- you can get the path using nix path-info .#packages.<target-system>.installer-package.<target>
Export all zpools and reboot into system
Retrieve hostkeys using ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub
Deploy system

Add secureboot to new systems

generate keys with sbct create-keys
tar the resulting folder using tar cvf secureboot.tar -C /etc/secureboot .
Copy the tar to local using scp and encrypt it using rage
- rage -e -R ./secrets/recipients.txt secureboot.tar -o <host>/secrets/secureboot.tar.age
safe the encrypted archive to hosts/<host>/secrets/secureboot.tar.age
DO NOT forget to delete the unecrypted archives
Deploy your system with lanzaboote enabled
- link /run/secureboot to /etc/secureboot
- This is necesarry since for your this apply the rekeyed keys are not yet available but already needed for signing the boot files
ensure the boot files are signed using sbctl verify
Now reboot the computer into BIOS and enable secureboot, this may include removing any existing old keys
bootctl should now read Secure Boot: disabled (setup)
you can now enroll your secureboot keys using
sbctl enroll-keys If you want to be able to boot microsoft signed images append --microsoft
Time to reboot and pray

Add luks encryption TPM keys

systemd-cryptenroll --tpm2-with-pin={yes/no} --tpm2-device=auto <device>

Deploy

If deploying from a host not containing the necessary nix configuration option append

--nix-option plugin-files "$NIX_PLUGINS"/lib/nix/plugins --nix-option extra-builtins-file ./nix/extra-builtins`